In this commit, we integrate Tor onion services into the proxy. Clients
can now make their requests through Tor's encrypted network. To make
this possible, there were a few quirks, the most important being that
clients were unable to establish encrypted HTTP/2 connections due to
TLS certificates not being able to verify onion services. To work around
this, we now spin up an additional HTTP/2 server _without TLS_ that's
not exposed to the outside world and can only be accessed through the
onion services, which already provide encryption.
Once the onion services are created, we store their private keys within
etcd to ensure we can recover them later on as the proxy is intended to
be long-lived.
We move the proxy from using its placeholder macaroon creation and
verification to instead use the agreed upon macaroon design. Much of
this is solely a refactor, but some new functionality has also been
introduced as part of integrating the LSAT mint:
1. A request's target service is now verified to ensure its attached
LSAT is authorized.
2. The preimage is now checked against the token's committed payment
hash to ensure it has been paid for.
The service limiter holds all of the constraints that should be applied
to a given service at the base tier. These are currently static and are
parsed from the proxy's configuration file as a temporary work-around.
Eventually, we plan to integrate this with etcd as well in order to
achieve dynamic service discovery.
Allows the ability for the proxy to connect to an etcd cluster for any
reliable data storage purposes. No data is being stored yet as of this
commit, but we'll be storing LSAT secrets at a later commit.
One key component in this commit is that we introduce a new top level
key that will serve to hold all LSAT proxy-related data. Any nested keys
should be prefixed with said top level key.
Co-authored-by: Oliver Gugger <gugger@gmail.com>
